STE WILLIAMS

The overcrowded endpoint security market is rife with activity as its many players compete to meet new enterprise demands and large companies buy small ones in hopes of staying afloat.

Gartner listed 20 companies in its “2019 Magic Quadrant for Endpoint Protection Products,” says Peter Firstbrook, research vice president with the company and one of the report’s authors, but he could have easily invited another 10. “There’s far too many,” he points out. “This market is overdue for consolidation.”

What made it so crowded? There are two types of companies in the endpoint security market, which, in general, provides centrally managed technology to lock down the endpoint. The traditional giants, including McAfee, Symantec, and Kaspersky, were early players in the market and historically provided antivirus tools and firewalls to defend machines against cyberattacks.

“Then someone would come up with a new way to attack endpoints, and someone else would come up with a way to block those attacks,” says John Pescatore, SANS’ director of emerging security trends, of how the market evolved – until a new wave of companies introduced the idea that protection is never perfect. Businesses must be able to detect and respond to threats.

The shift to endpoint detection and response (EDR), and the consequent proliferation of endpoint-focused companies, began when ransomware started to become a major enterprise problem, Firstbrook explains. Incumbent providers were complacent in their roles and “caught flat-footed” when ransomware hit. It wasn’t necessarily the vendor’s fault, he adds, noting that customers didn’t always upgrade their systems as needed. Still, the problem demanded a change in how organizations approached security and kept their security software up-to-date. 

“Ransomware was a big wake-up call, costing serious amounts of money, and companies were going out of business,” Firstbrook says. Incoming EDR companies, including CrowdStrike, Carbon Black, SentinelOne, and Endgame, took an approach to security the older players hadn’t, with behavioral-based detection instead of seeking indicators of compromise. It’s much more efficient to watch for strange behavior than to watch for every version of malicious software.

“It’s really hard for [attackers] to completely rearchitect a program,” Firstbrook says. “Behavioral-based detection forces them to rewrite it. EDR and behavioral detection are becoming primary components of endpoint detection solutions.” EDR companies brought several new advantages — for example, the ability to run on top of more traditional platforms.

These startups, with their new behavioral-based approach and “assumed breach” mindset, generated venture capital money, Firstbrook explains, and the market grew. Both old and new endpoint security businesses have their strengths. Now, there are simply too many of them.

Redefining the Endpoint
One of the biggest trends in today’s endpoint security market is product management, and much of the decision-making for security products is moving to the cloud. Traditional endpoint companies sold on-premises systems to communicate with a central cloud server that provides IOC data. That made it tough to keep users updated; however, moving management servers to the cloud eliminates this requirement and gives users the most current protection.

Cloud and virtualization are changing the definition of the endpoint and companies’ approach to securing it, SANS’ Pescatore explains. As the attack surface grows to include firmware and supply chain attacks, organizations are investing more in cloud-native products to protect themselves.

The promise of a cloud-based platform is as threats change, companies can detect and react to changes without having to install any new management software. They don’t have to maintain the management server, it’s easy to get up and running, and it’s easy to pull data from clients outside the network. While “cloud native” is hard to define, Firstbrook points to CrowdStrike as the best example, citing its lightweight architecture and role as a rules enforcement engine and data collection engine. If a company has an idea for how to create a rule, it can do it.

Amid such a disruptive period, it can be difficult for bigger firms to keep up. Firstbrook points to Symantec: It offers a cloud-based management console, but there is not a lot of integration between protective technology and EDR technology. He says it may be a little more clunky, and a little less efficient, until the company converges to fully cloud-native architecture.

“They see the changes, and they’re addressing them, but I think at this point it’s such a big change they may not make the changes in time to really capture it,” Firstbrook adds.

On top of the move to cloud, there is a greater demand for simplicity, says Hank Thomas, partner at Strategic Cyber Ventures. Security buyers in the enterprise are tired of dealing with complex systems and multiple point products for narrowly focused needs. “They want to focus on security tools that they can remotely maintain and are consolidated in one place,” he said.

Endpoint security products are becoming harder to use, Firstbrook points out. People want them to be more sensitive, but they’re not always qualified to review the data and say whether it’s a false positive or actual threat. As a result, vendors are starting to provide more operational services, from installation, to configuration, to light management, to full management. IT teams don’t have time to swap out their vendors, learn a new tool, and continuously monitor it.

“Endpoint is something everyone has to do, but not every company has to be an expert in,” he adds. Going forward, it will be important for endpoint security tools to adopt to different detection technologies or new machine learning techniques without the client needing to act.

Too Many Cooks in the Kitchen?
The endpoint security market has grown packed with companies old and young attempting to meet these new enterprise demands. Several recent acquisitions underscore the growing importance of new technologies among older companies struggling to innovate, experts say.

{Continued on next page} 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/in-a-crowded-endpoint-security-market-consolidation-is-underway/d/d-id/1336125?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Criminals are using the Tor browser — long a favorite of privacy-conscious users — to steal Bitcoin from their victims, researchers at ESET have discovered. The campaign, aimed at a Russian-speaking audience, uses a number of steps to convince users to install a weaponized version of Tor masquerading as the official Russian-language version of the browser. From there, settings and extensions loaded with the malicious browser allow the criminals to manipulate the pages displayed to users, leading them to sites that take Bitcoin from wallets without the owners’ permission.

According to the researchers, the bitcoin-stealing campaign has been active and unnoticed for years. Anton Cherepanov, ESET senior malware researcher, notes that the Bitcoin wallets into which stolen Bitcoins are deposited have been active since 2017.

Cerepanov says the JavaScript payload ESET researchers have seen delivered by the malicious websites targets three of the largest Russian-speaking darknet markets. This payload attempts to alter QIWI (a popular Russian money transfer service) or Bitcoin wallets located on pages from these markets.

The campaign is ongoing.

Read more here.

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/tor-weaponized-to-steal-bitcoin/d/d-id/1336127?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The organizers of Black Hat Europe have already announced some cutting-edge cybersecurity Briefings for the upcoming December event, including intriguing Applied Security Briefings on everything from cracking PDF encryption to the underground world of anti-cheat software.

Unveiling the Underground World of Anti-Cheats is a 50-minute Briefing about how a security researcher analyzed, tested and discovered multiple bypassing techniques against contemporary anti-cheat technologies. You’ll learn about a combination of static and dynamic investigation techniques including XignCode3, EasyAntiCheat and BattleEye and discover the virtues and weaknesses of each, along with a new tool for testing anti-cheat technology.

ClusterFuzz: Fuzzing at Google Scale offers you an inside look at how a Google team overcame the challenges of scaling to build and operate the largest publicly known fuzzing infrastructure, running over 25,000 cores and 2,500 targets. You’ll see how ClusterFuzz helped find 8,000 security vulnerabilities in several Google products, learn how it completely automates the entire fuzzing lifecycle, and hear how the process of writing fuzz targets into developer workflows was made to work at scale.

How to Break PDF Encryption promises to give attendees detailed insights and results from the analysis of PDF encryption tests on 27 of the most popular PDF viewers on the market. Researchers will demonstrate two novel techniques for breaking the confidentiality of encrypted documents, and walk you through responsible identification and disclosure processes.

Get more information on these and other practical presentations in the Briefings schedule for Black Hat Europe, which returns to The Excel in London December 2-5, 2019! For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/learn-about-the-underground-world-of-anti-cheats-at-black-hat-europe/d/d-id/1336115?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

First Prize ( $25 Amazon gift card) goes to Deadsnott, aka John-Paul Power, whose day job is information developer at Symantec. The winning caption:

Second prize ($10 Amazon gift card) awarded to havancourt, with the punny “The auditors are performing a SOX review.”

Finally, many thanks to everyone who entered the contest and to our loyal readers who cheered the contestants on. Also, a shout out to our judges, John Klossner and the Dark Reading editorial team: Tim Wilson, Kelly Jackson Higgins, Sara Peters, Kelly Sheridan, Curtis Franklin, Jim Donahue, Gayle Kesten, and yours truly.

If you haven’t had a chance to read all the entries, be sure to check them out today.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How to Build a Rock-Solid Cybersecurity Culture.“

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting … View Full Bio

Article source: https://www.darkreading.com/operations/soc-puppet-dark-reading-caption-contest-winners/a/d-id/1336118?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Modern computers expect a certain consistency in their operating environments. A nice, steady ticking of the electronic clock; smooth, consistent voltage to make everything run; and internal system temperatures that fall within a certain specified range. When their expectations aren’t met, weird things can happen.

If those “weird things” happen because of unanticipated power fluctuations, it can be annoying. If they happen because a malicious actor intentionally manipulated power or other environmental elements, they can be the beginning of a devastating attack.

Enter glitching.

Glitching attacks are defined as attacks that involve causing a hardware fault through manipulating the environmental variables in a system. When power, high-temperature sensors, or clock signals are interrupted, the CPU and other processing components can skip instructions, temporarily stop executing programs, or behave in other ways that can allow attackers to slip malicious instructions into the processing gaps.

Glitching is most useful for systems that serve special purposes (like encryption), or those that are “headless” — IoT computers that don’t have a standard user interface that can be manipulated by normal malware or social engineering techniques.

It’s an outlier technique in the threat actor’s toolkit, though. Glitching generally requires intimate knowledge of the hardware and software of the specific system under attack and it requires physical access to that system. It is, though, something that security professionals should know about, especially if they have IoT systems under their care.

It should be noted that glitching attacks are neither easy nor simple to pull off (although researchers recently made it easier by releasing chip.fail, a toolkit to bring glitching “to the masses”). The goal in glitching isn’t simply to stop a system from running — that could be done by simply cutting power in most cases — but to gain access to the system’s resources or damage its ability to effectively complete its given task, when a purely software approach isn’t effective.

Timing’s Leading Edge
Many glitch attacks are based on the shape of a signal. The electrical signals that move through a computer system tend to have sharp rises and drops. On an oscilloscope, the image is a series of square waves. The processor knows to start a new instruction when it detects a sharp rise in voltage — the “leading edge” of the wave. In a presentation given at Black Hat 2015, Bret Giller, a computer security consultant at NCC Group, provided steps for implementing an electrical glitching attack. 

In his presentation, Giller points out that each instruction takes a certain amount of time to execute; the execution time and the timing of those leading edges are in sync. If an attacker can inject a leading edge into the circuit so that it arrives too soon, then the processor can be tricked into executing a new instruction before the previous instruction has finished, or into skipping instructions altogether.

This kind of glitching can involve a power spike or manipulating the system’s clock by speeding it up (overclocking). Ricardo Gomez da Silva, a faculty member at Technische Universität Berlin Institut für Softwaretechnik und Theoretische Informatik, described these clock-glitching attacks and discussed how to protect against them in a paper published in 2014.

An attacker could gain access to the hardware and just inject stray signals to see what happens, but that’s unlikely to be productive. Instead, as Ziyad Alsheri pointed out in a presentation given at Northeastern University in the fall of 2017, the attacker needs to have intimate knowledge of the processor, the overall system, and the software in order to know precisely when to inject the spurious signal and what to do with the brief burst of resulting chaos.

Glitching the Fall
While instruction execution is triggered by the leading edge of a signal, there are some operations, such as writing data to a memory location, that can be triggered by the sharp voltage fall on the trailing edge of a wave.

A drop in the voltage supplied to the system can eliminate the sharp drop that triggers operations. In his Black Hat presentation, Giller said these “brown out” glitches can be responsible for data corruption and lost information, among other consequences. This sort of data corruption attack can be valuable when the system under attack is responsible for encryption or authentication. Disrupting the data in one part of the process can weaken the entire process to the point that the protection is ineffective.

Outliers
By now, it should be obvious that there are easier ways to hack most systems. The descriptions given in academic papers and research notes show a process that involves a great deal of research and physical access in order to compromise a single system.

However, researchers Thomas Roth and Josh Datko made it simpler and less expensive at Black Hat 2019, when they presented “Chip.Fail,” research conducted with their partner Dmitry Nedospasov. Not only did they demonstrate their glitching (fault-injection) attacks on IoT processors, they did so using less than $100 of equipment. They released this toolkit and framework at the conference, so researchers can test chips’ vulnerability to these types of attacks.  

Nevertheless, glitching may never replace social engineering as a way into office productivity computers. So far, it is not even a huge factor in compromising embedded control systems in the real world.

Yet cybersecurity professionals should remain aware of its possibilities because academic research can become a real-world attack with the breakthrough of a single dedicated security research team.

Related Content:

• Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT
• How FISMA Requirements Relate to Firmware Security
• Unsecured IoT: 8 Ways Hackers Exploit Firmware Vulnerabilities
• 7 Reasons You Need Security at the Edge
• 6 Security Considerations for Wrangling IoT

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/glitching-the-hardware-attack-that-can-disrupt-secure-software-/b/d-id/1336119?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A CenturyLink customer information database with some 2.8 milliion records was found exposed on the public Internet, exposing personal details of hundreds of thousands of its customers.

Researchers from Comparitech and security researcher Bob Diacehnko found the misconfigured MongoDB database on Sept. 15. According to the researchers, the database – which was affiliated with a third-party notification platform used by CenturyLink – had been exposed for 10 months. It was locked down on Sept. 17, two days after the researchers alerted CenturyLink.

Customer names, addresses, email addresses, and phone numbers were exposed. 

“The data involved appears to be primarily contact information and we do not have reason to believe that any financial or other sensitive information was compromised,” CenturyLink said in a statement to Comparitech. “CenturyLink is in the process of communicating with the affected customers. We will continue to work with our vendors to protect customer information.”

Read more here. 

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/centurylink-customer-data-exposed-/d/d-id/1336123?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple